<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Cambria",serif;
color:#44546A;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A">I agree with what John is saying and in a way he has sum up my own struggle with Heart (and FHIR) since day one. Healthcare privacy is complex and at the same time
we want to increase patient engagement without comprising privacy and security. Yet, to be successful, it needs to be simple and easy; otherwise patients (and providers) will not accept it or it will increase the chances of accidental privacy breaches.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A">I believe that the existing use cases are too complex for us the start with unless we are going to break them down into much simple components (or stepping stones)
for us to discuss, at least until we have a solid consentience on the scope.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A">It would help me (and maybe others, I hope) to discuss the simplest possible use case and work out from there. For example, the simplest meaningful use case I can
think of is the enrollment of a new patient enrollment. To contrast on the nuances, I would like to suggest discussing how this use case would be implemented two using two different clients, a known cloud based PHR and an local application PHR: (I am open
to using a different use case, this is just a suggestion to clarify the process)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Use Case:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Alice has decided to choose a new PCP and wants to electronically schedule her first appointment and complete the initial patient registration forms.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Steps:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Alice needs to create a new account on the practice's patient portal.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> The patient portal provides Alice with the practice's privacy policy (basic TPO use only as defined in 45 CFR 164.506) to review.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> The patient portal requests that Alice acknowledges she has received the practice privacy policy to use her information for TPO. (i.e. the
basic implied consent)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Alice chooses Dr. Bob as the doctor she want to see.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Alice schedules an appointment.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Alice then elects to complete the new patient registration forms online.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A">
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Assumptions: (These may need to be revised)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> The cloud based PHR system provides a Authentication service, oAuth 2 service with UMA profiles.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> The Practice's Patient portal provides a Authentication service, oAuth 2 service with UMA profiles.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> The local PHR application has its own local user access controls and supports only the basic oAuth 2 features required to interact with the
Practice Patient Portal.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A">
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Questions:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Client one: If Alice has chosen a cloud based PHR that already has an established trust:
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> What are the credentialing requirements to create Alice's account?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Note that ONC"s Ten year interop roadmap refer's to NIST SP 800-63-2 and OMB M-040-04 and is implying level 2 or 3
levels of assurance (LOA). (see pp 59)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Are there two or three consent profiles?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> One for Alice's PHR defining what to share with the Practice?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> One for the Practice defining what is to be shared with Alice's PHR?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> One for Alice at the Practice portal defining what the Portal (or Practice?) is to be shared?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> How is the initial implied consent for TPO electronically presented, stored and accessed?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> How is this consent profile used by the practice's internal HIT systems? (if at all)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Client Two: If Alice has chosen a local application based PHR that has not established trust with the practice's portal:
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> What are the credentialing requirements to create Alice's account?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Note that ONC"s Ten year interop roadmap refer's to NIST SP 800-63-2 and OMB M-040-04 and is implying level 2 or 3
levels of assurance (LOA). (see pp 59)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Are there two or three consent profiles?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> Is there a profile for Alice's PHR defining what to share with the Practice?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> One for the Practice defining what is to be shared with Alice's PHR?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> One for Alice at the Practice portal defining what the Portal (or Practice?) is to be shared?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> How is the initial implied consent for TPO electronically presented, stored and accessed?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> How is this consent profile used by the practice's internal HIT systems? (if at all)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"> How is this consent profiled used by the PHR and the Practice's Patient portal?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A">Bill<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A">
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Cambria",serif;color:#44546A"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Openid-specs-heart [mailto:openid-specs-heart-bounces@lists.openid.net]
<b>On Behalf Of </b>Eve Maler<br>
<b>Sent:</b> Tuesday, April 21, 2015 12:00 PM<br>
<b>To:</b> Debbie Bucci<br>
<b>Cc:</b> openid-specs-heart@lists.openid.net<br>
<b>Subject:</b> Re: [Openid-specs-heart] HEART stepping stones<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Also a bit hesitant, but in order to encourage others to jump in the pool... :)<o:p></o:p></p>
<div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<p><b>Eve Maler<br>
</b>ForgeRock Office of the CTO | VP Innovation & Emerging Technology<br>
Cell <a href="tel:%2B1%20425.345.6756" target="_blank">+1 425.345.6756</a> | Skype: xmlgrrl | Twitter: @xmlgrrl<br>
Join our <a href="http://forgerock.org/openuma/" target="_blank">ForgeRock.org OpenUMA</a> community!<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Apr 20, 2015 at 7:40 AM, Debbie Bucci <<a href="mailto:debbucci@gmail.com" target="_blank">debbucci@gmail.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Hesitant to speak up but since John asked ...<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">With regard to UMA Authorization Servers, are you suggesting that we consider a mix of personally-controlled and institutionally-controlled Authorization Servers or just one or the other?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b>Mixed. I could see places where an Authorization service would/could be logically stood up outside an institutions borders (in case of Health IT - ACO, HIE etc). Additionally if these entities focus on patient/consumer value add service,
those authorization services could/should allow the patient to add additional end points ...perhaps even federate with other known/trusted authorization services. Including Adrian's 5.00 a month service - providing the binding is strong enough to be trusted.</b><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">When I think about "considering" authorization servers/services, it makes me think we (HEART?) have the power to determine the answer. I'm not sure we do. Someone I knew in the standards game used to talk about "sanction vs. traction",
sanction being formal blessing, and traction being ecosystem adoption. With individual preferences and proclivities in the mix, weird/cool things could happen. If constrained by regulation, certain market distortions are certain to take place.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I would really hope that we don't sequester <i>sources</i> of data in our use cases. Our charter certainly doesn't, and life doesn't work that way. This is why I was trying to point out in my first response to John that we have new examples
of data coming from patients as the most-upstream resource owners now. It would seem important for clinical purposes, not just for generic consumer purposes, to accommodate this in the access control picture.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">With regard to interface scopes, are there particular scopes that should be considered before others?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt">Don't understand this question. I think its use case driven</span></b><span style="font-size:10.0pt"><o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I took this to mean that there are various standardized permission scopes that are worth driving towards in our work here -- but I'm not sure.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">With regard to identity management and identity federation, would we consider patient ID before or after provider ID?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt">In order to access the API the identity negotiation would need to be completed upfront. In the in PoF demonstration - we repeated said it was out of scope but if you looked closely ... Alice did use a federated
credential. John did bring up identity proofing/LOA/trust in one of the early calls. Even though we do not deal with it directly it does need to be represented/addressed and is a necessary part of the authorization/access "calculus". I know there are
a number of folks on this list already tackling this problem space and are looking for way to integrate into these profiles/workflow. We should let them help us. </span></b><span style="font-size:10.0pt"><o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">What Deb said.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">With regard to patient matching and discovery, would we try to keep these in or out of scope for the early parts of the roadmap?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b>If we presume the patient is mediating in the center and has a a explicit binding to their resources - there are no matching issues. </b><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">What Deb said. :-)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt">Client dynamic registration and AS discovery would be in scope from my POV.</span></b><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt">There has been a very promising discussion on the UMA list about a webfinger-ish personal discovery service. Not real yet though- a gap that I hope get closed in the near future.</span></b><span style="font-size:10.0pt"><o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I'm hoping to actually read that thread soon! Whre.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Is there a class of providers or data holders (hospitals, payers, labs, public facilities, etc...) that we could prioritize? <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt">Do we need to prioritize? Who's willing to share? Please let us know!</span></b><span style="font-size:10.0pt"><o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Ditto! :-)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt">Separate concerns - </span></b><span style="font-size:10.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt">If we believe the JOSE/JWT is essential for secure data exchange - we should stand behind it not compromise.</span></b><span style="font-size:10.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt">If we unearth some real policy concerns (US and International) or gaps in the standards - how do we place in parking lot/acknowledge for others to tackle. Ae there folk on this list willing to take on
some of those challenges?</span></b><span style="font-size:10.0pt"><o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I firmly believe that there is no inherent difference between the security characteristics of JSON/JOSE/JWT and XML/XML Encryption/SAML -- it's all just punctuation for data. The "security and privacy knobs can always be cranked up to 11"
if that's what we want to do.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Eve<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt">Deb</span></b><span style="font-size:10.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt">P.S. Disclaimer - Deb's personal views mindfully sent using Deb's personal email.</span></b><span style="font-size:10.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">On Sun, Apr 19, 2015 at 9:47 PM, Adrian Gropper <<a href="mailto:agropper@healthurl.com" target="_blank">agropper@healthurl.com</a>> wrote:<o:p></o:p></p>
</div>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<div>
<p class="MsoNormal">Then this is an excellent discussion. It suggests that there's a roadmap and some metric for achievability.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For example:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">With regard to UMA Authorization Servers, are you suggesting that we consider a mix of personally-controlled and institutionally-controlled Authorization Servers or just one or the other?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">With regard to interface scopes, are there particular scopes that should be considered before others?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">With regard to identity management and identity federation, would we consider patient ID before or after provider ID?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">With regard to patient matching and discovery, would we try to keep these in or out of scope for the early parts of the roadmap?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Is there a class of providers or data holders (hospitals, payers, labs, public facilities, etc...) that we could prioritize? <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#888888"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#888888">Adrian<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#888888"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#888888"><o:p> </o:p></span></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Sun, Apr 19, 2015 at 9:33 PM, Moehrke, John (GE Healthcare) <<a href="mailto:John.Moehrke@med.ge.com" target="_blank">John.Moehrke@med.ge.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I am not trying to limit the destination. I am trying to define the next achievable step.
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">John</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">
<a href="mailto:agropper@gmail.com" target="_blank">agropper@gmail.com</a> [mailto:<a href="mailto:agropper@gmail.com" target="_blank">agropper@gmail.com</a>]
<b>On Behalf Of </b>Adrian Gropper<br>
<b>Sent:</b> Sunday, April 19, 2015 5:13 PM</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><br>
<b>To:</b> Moehrke, John (GE Healthcare)<br>
<b>Cc:</b> Eve Maler; <a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">
openid-specs-heart@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-heart] HEART stepping stones<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hello John,<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">There's no need for you to take my perspective personally. <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">"Data created fully by the patient" seems to be urging us to down-scope HEART to the non-HIPAA domain.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Adrian <o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Sun, Apr 19, 2015 at 5:21 PM, Moehrke, John (GE Healthcare) <<a href="mailto:John.Moehrke@med.ge.com" target="_blank">John.Moehrke@med.ge.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi Adrian,</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Interesting misrepresentation of what I said. I am disappointed that you feel it necessary to misrepresent
what I said. I am also disappointed that you feel it necessary to bring in other negative topics that I said nothing about. I am trying to find ground that we can progress forward on; while you seem to be just wanting to make personal assaults. </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Looking for the constructive message in your comment, I think you are suggesting that we scope our
efforts to the flow of information from the patient possession to points-elsewhere. I am fine with that kind of a scope. It also avoids the issues I was bringing up. I very much agree that data created fully by the patient is, and should be, totally controlled
by the patient. This scope also avoids the concerns that encumber healthcare provider environments: Medical Ethics concerns, Safety concerns, and concerns of wrongful disclosure. </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">John</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">
<a href="mailto:agropper@gmail.com" target="_blank">agropper@gmail.com</a> [mailto:<a href="mailto:agropper@gmail.com" target="_blank">agropper@gmail.com</a>]
<b>On Behalf Of </b>Adrian Gropper<br>
<b>Sent:</b> Sunday, April 19, 2015 12:42 PM<br>
<b>To:</b> Moehrke, John (GE Healthcare)<br>
<b>Cc:</b> Eve Maler; <a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">
openid-specs-heart@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-heart] HEART stepping stones</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">John, I find your perspective both paternalistic and unscalable. <o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">US healthcare is awash in lack of transparency and the result is $1Trillion of unwarranted care. It's paternalistic and incredibly self-serving to presume that just because the
institution has been given a right to use patient data without any accountability as long as the data is for Treatment, Payment, or Operations or De-Identified, or "Break the Glass", or prescription drug monitoring, or just plain lack of segmentation for access,
that it's good policy. The current regulations are the result of heavy and effective lobbying by a very well organized industry trying to protect its secrets by avoiding the HIPAA accounting for disclosures and and patient right of access because they're "too
hard". Think of HEART as trying to fix the "too hard" problem.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Your perspective is also unscalable as more and more health-related data originates in wearables as well home and environmental monitors, and then ends-up in trans-national analytics
completely outside of the HIPAA regs. It's also unscalable as patient data such as genomes can no longer be collected under informed consent because nobody has any idea of how your genomic information will be interpreted three years from now and how that interpretation
might affect you or your children. It's also unscalable as the ability to promise de-identification for research becomes less and less realistic.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The simple fact is that surveillance, data processing, and data storage is now effectively free compared to the economic value of the patient data. Rent-seeking-behavior by politically
astute institutions has been effective for the past few years but the natives are getting restless. If you want to read more: <a href="http://thehealthcareblog.com/blog/2015/04/16/last-chance-for-meaningful-use/" target="_blank">http://thehealthcareblog.com/blog/2015/04/16/last-chance-for-meaningful-use/</a> and
I hope you make the comments above on the blog.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Adrian<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">--
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Adrian Gropper MD<span style="font-size:7.5pt"><br>
</span><span style="font-size:10.0pt">Ensure Health Information Privacy. Support Patient Privacy Rights.<br>
<a href="http://patientprivacyrights.org/donate-2/" target="_blank">http://patientprivacyrights.org/donate-2/</a><u><span style="color:blue">
</span></u></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">Adrian Gropper MD<span style="font-size:7.5pt"><br>
</span><span style="font-size:10.0pt">Ensure Health Information Privacy. Support Patient Privacy Rights.<br>
<a href="http://patientprivacyrights.org/donate-2/" target="_blank">http://patientprivacyrights.org/donate-2/</a><u><span style="color:blue">
</span></u></span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>